Solved: Search for Users that have not Logged-in in the La...

jodros · ‎04-24-2014

I need to create a search that will look back over the last year and list all users that have not logged into a webserver. I was thinking about running a search that normalized, deduped, and listed all users in a table. Then I wanted to run a search against the table for all users with timestamps older than 30 days. I have the first part working, but not the search against the table. Any help would be appreciated.

sourcetype=webserver audit_event=AUTHN_SUCCESS tag=prod | eval username=lower(username) | dedup username | table _time username | search _time>-30d

somesoni2 · ‎04-24-2014

Try this

sourcetype=webserver audit_event=AUTHN_SUCCESS tag=prod | eval username=lower(username) | dedup username | table _time username | eval age_days=(now()-_time)/(60*60*24) | where age_days > 30

View solution in original post

somesoni2 · ‎04-24-2014

Try this

sourcetype=webserver audit_event=AUTHN_SUCCESS tag=prod | eval username=lower(username) | dedup username | table _time username | eval age_days=(now()-_time)/(60*60*24) | where age_days > 30

jodros · ‎04-28-2014

Thanks! This worked for me.

Search for Users that have not Logged-in in the Last 30 Days

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...